The European Data Protection Board (EDPB) recently adopted new guidelines on pseudonymisation, offering essential clarifications for compliance under the General Data Protection Regulation (GDPR). These guidelines, open for public consultation until 28 February 2025, aim to help organizations better understand the application of pseudonymisation as a safeguard for data protection. Here is an attempt to break down and simplify these (highly technical) guidelines by the EDPB.

First, what is pseudonymisation?

Pseudonymisation is defined in GDPR (Article 4(5)) as the processing of personal data in a way that it can no longer be attributed to a specific individual without the use of additional information. This additional information must be kept separately and protected by technical and organizational measures. Unlike anonymisation, pseudonymised data remains personal data as it can still be linked to an individual if additional information is available.

Why pseudonymisation matters?

The guidelines highlight pseudonymisation’s ability to:

• reduce risks to data subjects by separating data from direct identifiers, minimizing confidentiality risks during unauthorized access or use;

• support GDPR compliance by helping organizations meet principles of data protection by design and default (Article 25), implement data minimisation and purpose limitation (Article 5), and ensure appropriate security (Article 32);

• enable flexibility by allowing for data analysis while safeguarding individual identities, making it particularly useful for research, internal analytics, and other secondary purposes.

Legal clarifications

The EDPB guidelines provide two significant clarifications:

1. Pseudonymised data is personal data. Even if additional information is held separately, pseudonymised data remains personal if it can reasonably be linked back to an individual. This clarification (even though not new) ensures that such data continues to fall under GDPR’s protections.

2. Pseudonymisation enables lawful processing. Pseudonymisation can make it easier to use legitimate interest as a legal basis (Article 6(1)(f)) and demonstrate compatibility with the original purpose of processing (Article 6(4)). For example, when organizations use pseudonymisation to de-link personal identifiers in customer datasets, it facilitates further processing for research while reducing risks of misuse.

Technical and organizational measures

To be effective, pseudonymisation must include both technical and organizational safeguards to prevent unauthorized re-identification. The guidelines emphasize several measures that organizations should prioritize:

• Technical measures: Organizations should replace direct identifiers using secure cryptographic techniques such as hashing, encryption, or tokenization. Cryptographic algorithms must be chosen carefully to ensure that they are resistant to brute-force attacks and future cryptanalytic advances. For instance, advanced hashing techniques like Argon2 are recommended over weaker algorithms. Storing pseudonymisation secrets, such as encryption keys or lookup tables, in secure environments like hardware security modules is critical. In addition, systems implementing pseudonymisation should undergo regular audits to detect and fix vulnerabilities. Rate limiting, secure API access, and logging all interactions with pseudonymised data are essential to monitor and control usage.

• Organizational measures: Access to pseudonymised data and any additional information must be strictly controlled. According to the guidelines, organizations should limit the pseudonymisation domain—defining who can access the data and excluding unauthorized parties. This includes separating pseudonymised data from its re-identification keys or information across different teams or physical locations. Naturally, staff training is essential to ensure employees handling pseudonymised data understand the limits of their access and their responsibilities. Clear policies should outline how pseudonymisation is implemented and monitored, ensuring compliance with GDPR principles like transparency and accountability.

Practical examples

The guidelines provide real-world scenarios to illustrate pseudonymisation’s benefits:

• Internal analysis: A company pseudonymises customer transaction data for trend analysis, ensuring employees accessing the data cannot link it to individuals without additional information.

• External sharing: When sharing pseudonymised data with a third-party research institution, the organization ensures that only de-linked data is transmitted and contractual safeguards prevent re-identification.

• Risk mitigation in data breaches: If pseudonymised data is exposed during a security incident, the impact is significantly reduced as long as the additional information remains secure.

Pseudonymisation in cross-border data transfers

The EDPB highlights pseudonymisation’s role as a supplementary measure for international data transfers. By ensuring that additional information remains within the EU and separate from the transferred data, organizations can mitigate risks of unauthorized access by foreign authorities. However, the EDPB highlights that pseudonymisation alone is often insufficient and must be combined with other safeguards to ensure compliance with Chapter V of the GDPR.

Public consultation and future implications

The guidelines are open for public consultation 28 February 2025, allowing stakeholders to provide feedback and contribute to their refinement. Here is the link to the complete guidelines.